Auteur Sujet: [FireEye]FLARE VM: The Windows Malware Analysis Distribution You’ve Always Needed!  (Lu 311 fois)

0 Membres et 1 Invité sur ce sujet

Hors ligne igor51

  • Admin
  • Mega Power Members
  • *****
  • Messages: 10332
FLARE VM: The Windows Malware Analysis Distribution You’ve Always Needed!

As a reverse engineer on the FLARE Team I rely on a customized
  Virtual Machine (VM) to perform malware analysis. The Virtual Machine
  is a Windows installation with numerous tweaks and tools to aid my
  analysis. Unfortunately trying to maintain a custom VM like this is
  very laborious: tools frequently get out of date and it is hard to
  change or add new things. There is also a constant fear that if the VM
  gets corrupted it would be super tedious to replicate all of the
  settings and tools that I’ve built up over the years. To address this
  and many related challenges, I have developed a standardized (but
  easily customizable) Windows-based security distribution called FLARE VM.


FLARE VM is a freely available and open sourced Windows-based
  security distribution designed for reverse engineers, malware
  analysts, incident responders, forensicators, and penetration testers.
  Inspired by open-source Linux-based security distributions like Kali
  Linux, REMnux and others, FLARE VM delivers a fully configured
  platform with a comprehensive collection of Windows security tools
  such as debuggers, disassemblers, decompilers, static and dynamic
  analysis utilities, network analysis and manipulation, web assessment,
  exploitation, vulnerability assessment applications, and many others.


The distribution also includes the FLARE team’s public malware
  analysis tools such as FLOSS and FakeNet-NG.


How To Get It


You are expected to have an existing installation of Windows 7 or
  above. This allows you to choose the exact Windows version, patch
  level, architecture and virtualization environment yourself.


Once you have that available, you can quickly deploy the FLARE VM
  environment by visiting the following URL in Internet Explorer
  (other browsers are not going to work):


      href="" target="_blank">


After you navigate to the above URL in the Internet Explorer, you
  will be presented with a Boxstarter WebLauncher dialog. Select
  Run to continue the installation as illustrated in Figure 1.


 Figure 1: FLARE VM Installation


Following successful installation of Boxstarter WebLauncher, you
  will be presented with a console window and one more prompt to enter
  your Windows password as shown in Figure 2. Your Windows password is
  necessary to restart the machine several times during the installation
  without prompting you to login every time.


 Figure 2: Boxstarter Password Prompt


The rest of the process is fully automated, so prepare yourself a
  cup of coffee or tea. Depending on your connection speed, the initial
  installation takes about 30-40 minutes. Your machine will also reboot
  several times due to the numerous software installation’s
  requirements. During the deployment process, you will see installation
  logs of a number of packages.


Once the installation is complete, it is highly recommended to
  switch the Virtual Machine networking settings to Host-Only mode so
  that malware samples would not accidentally connect to the Internet or
  local network. Also, take a fresh virtual machine snapshot so this
  clean state is saved! The final FLARE VM installation should look like
  Figure 3.


 Figure 3: FLARE VM installation


NOTE: If you encounter a large number of error messages, try to
  simply restart the installation. All of the existing packages will be
  preserved and new packages will be installed.


Getting Started


The VM configuration and the included tools were either developed or
  carefully selected by the members of the FLARE team who have been
  reverse engineering malware, analyzing exploits and vulnerabilities,
  and teaching malware analysis classes for over a decade. All of the
  tools are organized in the directory structure shown in Figure 4.


  Figure 4: FLARE VM Tools


While we attempt to make the tools available as a shortcut in the
  FLARE folder, there are several available from command-line only.
  Please see the online documentation at   href=""> for the most up to
  date list.


Sample Analysis


In order to best illustrate how FLARE VM can assist in malware
  analysis tasks let’s perform a basic analysis on one of the samples we
  use in our Malware Analysis Crash Course.


First, let’s obtain some basic indicators by looking at the strings
  in the binary. For this exercise, we are going to run FLARE’s own
  FLOSS tool, which is a strings utility on steroids. Visit   href=""> for
  additional information about the tool. You can launch it by clicking
  on the FLOSS icon in the taskbar and running it against the sample as
  illustrated in Figure 5.


 Figure 5: Running FLOSS


Unfortunately, looking over the resulting strings in Figure 6 only
  one string really stands out and it is not clear how it is used.


 Figure 6: Strings Analysis


Let’s dig a bit more into the binary by opening up CFF Explorer in
  order to analyze sample’s imports, resources, and PE header structure.
  CFF Explorer and a number of other utilities are available in the
  FLARE folder that can be accessed from the Desktop or the Start menu
  as illustrated in Figure 7.


 Figure 7: Opening Utilities


While analyzing the PE header, there were several indicators that
  the binary contains a resource object with an additional payload. For
  example, the Import Address Table contained relevant Windows API calls
  such as LoadResource, FindResource and finally WinExec. Unfortunately,
  as you can see in Figure 8 the embedded payload “BIN” contains junk so
  it is likely encrypted.


 Figure 8: PE Resource


At this point, we could continue the static analysis or we could
  “cheat” a bit by switching over to basic dynamic analysis techniques.
  Let’s attempt to quickly gather basic indicators by using another
  FLARE tool called FakeNet-NG. FakeNet-NG is a dynamic network
  emulation tool which tricks malware into revealing its network
  functionality by presenting it with fake services such as DNS, HTTP,
  FTP, IRC and many others. Please visit   href=""> for additional
  information about the tool.


Also, let’s launch Procmon from Sysinternals Suite in order to
  monitor all of the File, Registry and Windows API activity as well.
  You can find both of these frequently used tools in the taskbar
  illustrated in Figure 9.


 Figure 9: Dynamic Analysis


After executing the sample with Administrator privileges, we quickly
  find excellent network- and host–based indicators. Figure 10 shows
  FakeNet-NG responding to malware’s attempt to communicate with using HTTP protocol. Here we capture useful
  indicators such as a complete HTTP header, URL and a potentially
  unique User-Agent string. Also, notice that FakeNet-NG is capable of
  identifying the exact process communicating which is
  level1_payload.exe. This process name corresponds to the unique
  string that we have identified in the static analysis, but couldn’t
  understand how it was used.


  Figure 10: FakeNet-NG


Comparing our findings with the output of Procmon in Figure 11, we
  can confirm that the malware is indeed responsible for creating
    level1_payload.exe executable in the system32 folder.


 Figure 11: Procmon


As part of the malware analysis process, we could continue digging
  deeper by loading the sample in a disassembler and performing further
  analysis inside a debugger. However, I would not want to spoil this
  fun for our Malware Analysis Crash Course students by sharing all the
  answers here. That said all of the relevant tools to perform such
  analysis are already included in the distribution such as IDA Pro and
  Binary Ninja disassemblers, a nice collection of debuggers and several
  plugins, and many others to make your reverse engineering tasks as
  convenient as possible.


Have It Your Way


FLARE VM is a constantly growing and changing project. While we try
  to cover as many use-case scenarios as possible it is simply
  impossible due to the nature of the project. Luckily, FLARE VM is
  extremely easy to customize because it was built on top of the
  Chocolatey project. Chocolatey is a Windows-based package management
  system with thousands of packages. You can find the list here:   href="">
  In addition to the public Chocolatey repository, FLARE VM uses our own
  FLARE repository which constantly growing and currently contains about
  40 packages.


What all this means is that if you want to quickly add some package,
  let’s say Firefox, you no longer have to navigate to the software
  developer’s website. Simply open up a console and type in the command
  in Figure 12 to automatically download and install any package:


 Figure 12: Installing packages


In a few short moments, Firefox icon is going to appear on your
  Desktop with no user interaction necessary.


Staying up to date


As I’ve mentioned in the beginning, one of the hardest challenges of
  unmanaged Virtual Machine is trying to keep all the tools up to date.
  FLARE VM solves this problem. You can completely update the entire
  system by simply running the command in Figure 13.


 Figure 13: Staying up to date


If any of the installed packages have newer versions, they will be
  automatically downloaded and installed.


  NOTE: Don’t forget to take another clean snapshot of an updated
    system and set networking back to Host-Only.




I hope you enjoy this new free tool and will adopt it as another
  trusted resource to perform reverse engineering and malware analysis
  tasks. Next time you need to set up a new malware analysis
  environment, try out FLARE VM!


In these few pages, we could only scratch the surface of everything
  that FLARE VM is capable of; however, feel free to leave your
  comments, tool requests, and bugs on our Github issues page here:   href="">

Source: FLARE VM: The Windows Malware Analysis Distribution You’ve Always Needed!